wpad on pfSense with lighttpd

Setting up proxy auto-configuration on pfSense has a handy documentation page, but sadly the first thing they say is that you have to run the webConfigurator GUI in HTTP mode, which is kind of annoying.

Given the auto-config of nginx (which runs the pfSense GUI) will likely blat any changes I make, I decided to use lighttpd instead.

In short, we’re going to:

  1. install a web server
  2. make a pac file
  3. make it available at a couple of different URLs via that web server
  4. have cake

Here’s how I did it…

Install lighttpd by running the following: sudo pkg install lighttpd

Enable lighttpd by editing rc.conf and add lighttpd_enable=YES to make sure it starts: sudo vi /etc/rc.conf

To find the lighttpd document root, where it serves files from - in case it’s been changed in future:

sudo grep server.document-root /usr/local/etc/lighttpd/lighttpd.conf | egrep -v "^#"

On my 2.4.1 pfSense box it was server.document-root = "/usr/local/www/data/" If you want to change the web server location, edit /usr/local/etc/lighttpd/lighttpd.conf and look for server.document-root

Create the data directory, to keep it separate from the GUI. Also create a default index.html because we like avoiding directory listings…

sudo mkdir -p /usr/local/www/data/
sudo touch /usr/local/www/data/index.html

Create the PAC file (sudo vi /usr/local/www/data/proxy.pac) and put the following in - make sure to change the IP to match your squid box:

function FindProxyForURL(url,host)
 	return "PROXY";

Create the wpad.dat file as a link because some clients need it. This means you only have to edit one file:

sudo ln -s /usr/local/www/data/proxy.pac /usr/local/www/data/wpad.dat

Update the MIME type for wpad.dat to send the right type to the browser, by editing mime.conf. Add this line near the others:

"wpad.dat" => "application/x-ns-proxy-autoconfig",

Restart lighttpd to apply the changes

sudo service lighttpd restart

Check your work

$ curl -vvv
*   Trying
* Connected to ( port 80 (#0)
> GET /proxy.pac HTTP/1.1
> Host:
> User-Agent: curl/7.55.1
> Accept: */*
< HTTP/1.1 200 OK
< Content-Type: application/x-ns-proxy-autoconfig
< Accept-Ranges: bytes
< ETag: "3644651125"
< Last-Modified: Wed, 07 Mar 2018 00:14:40 GMT
< Content-Length: 74
< Date: Wed, 07 Mar 2018 05:11:27 GMT
< Server: lighttpd/1.4.47
 function FindProxyForURL(url,host)
 return "PROXY"; 
* Connection #0 to host left intact

The key things you’re looking for are the Content-Type headers and making sure your file comes back. :)

Tags: pfsense wpad proxies